Kibana 8.18.8, 8.19.5, 9.0.8, and 9.1.5 Security Update (ESA-2025-20)

Kibana Cross-Site Scripting (XSS) (ESA-2025-20)

Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.

Affected Versions:

  • 7.x: All versions prior to and including 7.17.29
  • 8.x: All versions from 8.0.0 up to and including 8.18.7
  • 8.19.x: All versions from 8.19.0 up to and including 8.19.4
  • 9.0.x: All versions from 9.0.0 up to and including 9.0.7
  • 9.1.x: All versions from 9.1.0 up to and including 9.1.4

Affected Configurations:

The attacker requires the ability to upload files to Kibana, see https://www.elastic.co/docs/explore-analyze/alerts-cases/cases/manage-cases#add-case-files

Solutions and Mitigations:

Users should upgrade to the versions below or later:

  • 8.18.8
  • 8.19.5
  • 9.0.8
  • 9.1.5

For Users that Cannot Upgrade:

Self-hosted & Cloud

For versions >= 7.12 to < 9.0 user’s can set discover:searchFieldsFromSource: true in Advanced Settings

There are no workarounds for 9.0+

Severity: CVSSv3.1: 8.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVE ID: CVE-2025-25009